Facing a continuing rise in fraud and fraud attempts against financial institutions, Nacha has announced new rules to help organizations mitigate these risks. These new rules will take time to implement, so institutions should begin preparing now rather than waiting until the rules go into effect.
In a recent PaymentsJournal podcast, Brian Holbrook, Director of Product Strategy and Integrated Solutions at LSEG Risk Intelligence, spoke with Elisa Tavilla, Director of Debit at Javelin Strategy & Research, about how to prepare for the changes and ultimately reduce the success rates of fraudulent activities. They explained how the new rules provide institutions an opportunity to rethink their entire approach to the ever-evolving nature of fraud.
The New Nacha Rules
In 2023 alone, 80% of organizations fell victim to payment fraud, a 15% increase from the previous year. ACH payment methods have, in some circles, become the most targeted in business email compromise fraud situations.
The proposed Nacha amendments provide new tools for combatting this issue. These changes are staggered to take effect between October 2024 until June 2026. For many organizations, the effort will require significant planning, budgeting and operational changes. Noncompliance with the rules can lead to monetary fines, increased scrutiny from regulators, reputational damage, and in severe cases, legal and regulatory actions.
Another important aspect of the new rules is the encouragement of a more collaborative approach towards mitigating ACH fraud. In particular, they enlist both sending and receiving financial institutions into combating unauthorized transactions as well as authorized push payment transactions, such as credit push fraud.
While Nacha specifically addresses ACH credit push transactions, other payment rails also use credit push, including wire transfers, peer-to-peer payments, and real-time payments like RTP and FedNow. By preparing for the new rules and risks associated with credit push for ACH, organizations can also better prepare for other payment methods.
How It Works
In traditional fraud monitoring, most of the focus was on debit pull transactions. The new rules would empower the receiving financial institution to play a key role in monitoring ACH fraud risk as well. A receiving depository or financial institution may decide to return funds to the originating depository financial institution if it determines that the transaction is suspicious.
“When you look at the responsibilities of both a sending and receiving organization, the operational adjustments are going to take time,” said Holbrook. “You have to take into account the entire customer lifecycle. Receiving financial institutions are now going to have more time to review transactions and potentially return those funds to the originator.”
Early preparation is key to success. LSEG has put together a preparation playbook focusing on three critical aspects to consider before the rules take effect.
The first step is for organizations to review their current capabilities and identify where fraud is most likely to occur within the existing life cycle.
“Start thinking about not just a customer life cycle but a transactional life cycle,” said Holbrook. “Think about your capabilities in terms of ongoing KYC of not just your customer but of their transactions.”
Next, define what success looks like within your organization. While reducing fraud is the primary goal, it must be balanced against customer friction and proper monitoring capabilities. Identify where significant impact can be made, not just to comply with regulatory or Nacha rule changes, but to enhance the customer experience, reduce fraud, and improve your organization’s reputation for prioritizing customer protection.
Lastly, identify areas for improvement, both internally and in terms of the customer experience. Ensure you’re educating customers so they understand how you are protecting their transactions, whether it involves money coming in or going out.
Be Prepared
Organizations that aren’t prepared for these new rules can leave themselves more open to fraudulent attacks.
“Some of the risks of not being prepared for these new Nacha rules—or just for ongoing more sophisticated fraud risks in general—is the fact that if all other players in the industry and your peers are prepared, that can make your organization more vulnerable,” said Tavilla. “You wouldn’t want to make yourself a target.”
Complying with the new rules will rely on an integration of technologies, processes, and people.
“It’s going to take all three of those things in order to be successful here,” said Holbrook. “It’s important to think of this as not just something that needs to be complied with, but as an opportunity for organizations to have a key differentiator. Are you looking for a vendor to check a box, or are you looking for a partner who’s going to be there with you day in and day out to help mitigate the instances of fraud?”
The expected benefit comes down to a long-term strategic planning vision that will allow organizations to not just view these changes as a point in time, but to put in processes and procedures that will allow them to be flexible as the fraud landscape continues to evolve.
“When we look at the rise of AI, the fraudsters are getting more and more sophisticated with their abilities,” Holbrook said. “This is the right opportunity to find the right tools, the right partners, the right processes to in effect do as much as possible to future-proof any additional nuances or changes or new fraudulent activity that we see in the industry.”